Freedom Issue #1227
Google in Iceweasel
100%
Description
In Iceweasel, both the default and the hardened version, there are some privacy issues due to some safebrowsing, for example these settings by default:
browser.safebrowsing.provider.google.lastupdatetime;1489439288016
browser.safebrowsing.provider.google.gethashURL;https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
browser.safebrowsing.provider.google.lists;goog-badbinurl-shavar,goog-downloadwhite-digest256,goog-phish-shavar,googpub-phish-shavar,goog-malware-shavar,goog-unwanted-shavar
browser.safebrowsing.provider.google.nextupdatetime;1489441054016
browser.safebrowsing.provider.google.pver;2.2
browser.safebrowsing.provider.google.reportURL;https://safebrowsing.google.com/safebrowsing/diagnostic?client=%NAME%&hl=%LOCALE%&site=
and seven more.
See about:config
Shouldn't some of these at least be set to 'false' and/or zero?
History
Updated by isacdaavid about 7 years ago
- Assignee changed from Anonymous to g4jc
- Status changed from open to info needed
Interesting, most of those exist in iceweasel but not in icecat 45. Additions or dependency injections maybe?
It is my understanding that "Safe Browsing" is being disabled at build time anyway, which is reflected by the key browser.safebrowsing.enabled. If this is correct then having those keys set to the factory defaults is completely harmless.
I'm assigning to G4JC, author of iceweasel-hardened, so that he can take a second look.
Updated by g4jc about 7 years ago
isacdaavid wrote:
It is my understanding that "Safe Browsing" is being disabled at build time anyway, which is reflected by the key
browser.safebrowsing.enabled. If this is correct then having those keys set to the factory defaults is completely harmless.
Correct. Iceweasel sets safebrowsing to disabled so they have no affect. However, hardened takes it a step farther and removes them completely just to be on the safe-side. I also noticed that a few of the blacklists download in the background even though they are otherwise unused, which nulling them out fixes.
Updated by stig about 7 years ago
Perhaps I'm wrong or missing something, but neither in Iceweasel or in Iceweasel-hardened are those settings removed nor disabled, at least not in about:config. So I don't understand.
It is disabled in Iceweasel-hardened:
https://git.parabola.nu/abslibre.git/tree/nonprism/iceweasel-hardened-preferences/iceweasel-branding.js#n646
I don't understand what google is doing in Parabola's browser at all.
It is shipped by default in Mozilla Firefox from which Iceweasel is based on, "regular" Iceweasel will only set it to false.
https://git.parabola.nu/abslibre.git/tree/libre/iceweasel/vendor.js#n89
Would it be safe to set all the values to 'false', or is that stupid?
It should already be set to false, if it isn't set to false then there is a major problem. Keep in mind that browser addons and user.js can both override Parabola's systemwide settings, so knowing more about your current configuration may help in debugging this.
Updated by g4jc about 7 years ago
- % Done changed from 0 to 100
- Status changed from info needed to fixed
Fixed in regular iceweasel with this commit:
https://git.parabola.nu/abslibre.git/commit/?id=59f1109923e62c85c273614d2b84932460a50771
Also disables Microsoft Family backdoor introduced with recent version of Firefox.
Updated by g4jc about 7 years ago
stig wrote:
Would it be safe to set all the values to 'false', or is that stupid?
To clarify this question, yes setting them all to false isn't a good idea since Firefox looks for valid syntax. It has to be "http://127.0.0.1", "about:blank", "data:text/html", or simply "" (blank).
Updated by isacdaavid about 7 years ago
I'm watching this, since it's likely to resurface in Icecat in the future